RE: IDS detection approaches

[Nelson Brito <nbrito () sekure org>]

I do agree that SNORT is one of the most popular when you are learning about IDS, but it is possible to attack the IDS 
engine in a very easy way: 1) evasion; 2) DoS; 3) Flse Positive; 4) you name it...

That isn't a SNORT's weakness, it is a technology limitation: pattern matching. This is very easy to take advantage of 
the pattern itself  - in bad sense...

I think the best approach is when vendors get the knowledge of how the vulnerabilties work, istead of how the exploits 
exploit the vulnerability. This is so reactive that any new exploit / worm variant will require a new signature.

Keep in mind that when you know how the vulnerability can be exploited is better than know how so many exploits works, 
but it is not that easy! A signature database based on pattern is easier but gives you worng sense of protection, and 
this worse than no protection.

That said, IMHO, anomaly detection + signature database based on vulnerabilties + behavior detection + any other 
approach other than pattern means BETTER SECURITY / PROTECTION.

My 2 cents.

Nelson Brito (nbrito () sekure org)
Senior IPS Engineer & Pen-tester

-----Original Message-----
From: frankfrydrych () gmail com
Sent: Thursday, October 04, 2007 11:29 PM
To: focus-ids () securityfocus com
Subject: Re: IDS detection approaches

Hola,


I would completely go with a signature based IDS. Anomaly based IDS will not give you the greatest results. 


For signature base I highly recommend SNORT. It is probably one of the best IDS out there. Now I'm not just saying this 
as a "ooh open source is the best".  I truely believe this. I actually use to be a huge Cisco buff and just dealt with 
Cisco IDS. However, at my current job I am a security analyst and have to analyze events from Cisco, IIS, Juniper, etc, 
and SNORT beats them all. Mainly for the fact that you are able to see the packet payload and are able to make the 
decision if something is malicious based on the actual payload and not just the signature that is triggered (like some 
IDS). Also, when a new threat emerges usually SNORT users will create a signature to combat the threat. The other 
vendors create the signatures for you and it usually ends up to be like 3 months after the threat was actually a 
realistic threat. And on top of it the vendor signatures usually give out huge amount of false positves. Then again, an 
IDS is only as good as who tunes it. If you take A
 NY IDS and turn it on in a production network you will have so many false positives I garuntee you will miss actual 
threats. Every IDS (including SNORT) has to be tuned for the production network it is on.


Finally, make sure to place the IDS behind the firewall. If you place it in front of the firewall you will receive so 
much traffic that it is just not valuable data. You have a firewall, so let the firewall do its job and block the 
already known bad activity, and catch what gets through the firewall with a IDS.


-FF

------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it 
with real-world attacks from CORE IMPACT.
Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw 
to learn more.
------------------------------------------------------------------------



------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw
to learn more.
------------------------------------------------------------------------